PKI Applications

The
most widespread use of PKI is server identification certificates.
SSL requires a PKI certificate on the server to assert its identity in a
trustworthy manner to the client. Every HTTPS web server
connection uses SSL and therefore also uses PKI. This outreach web
focuses on client-side applications of PKI - using end user PKI
certificates instead of or in addition to server certificates.

Client-side applications of PKI fit three main categories:

Authentication

Digital signatures

Encryption

Authentication applies to any application that needs to know
with assurance the identity of the user and that the user is actually
the one who is present. Traditional authentication typically uses
usernames and passwords. PKI provides a more secure alternative to
this whereby identity is proven by posession of a private key instead
of a password. A password is still usually required to protect
the private key, but that password is managed locally by the user
instead of shared with the application server (a major improvement in
security).

Digital signatures enable a user to put their "digital John Hancock" on
an electronic document. This is directly analogous to signing in
pen on a paper document except it goes one step further and
associates the exact contents of the digital document with the signature
in a way that makes tampering with the document's contents after the
signature easy to detect. Again, it is posession of the private
key that assures that only the owner of the PKI digital credentials
could have executed the signature.

Encryption is standard protection of data in a file with a twist.
Anyone can encrypt data intended to be read by a particular user by
using their public key for the encryption process. But only the
designated user posesses the private key that can decrypt the data, so
its privacy is assured by the security of their private key.